Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

Similar presentations


Presentation on theme: "Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP."— Presentation transcript:

1 Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP

2 SIM/SEM state of art Correlation : difficulties Correlation mode and new approaches Algorithms and principles Synopsys

3 Today, information is Everywhere Unclassified In multiple formats How to unify data? How to consolidate date? How to analyze data ? Security information

4 Security All interesting security information Real threat Risk evolution Unavailability Information Vulnerability audit report Inventory base Trend report Event Logs Network flows Management Regulation conformity Centralized data management SIM / SEM differences Rapprochement SIM et SEM

5 Visibility Information standardization Data consolidation Results analysis Regulation compliance Bâle II SOX Security team initialization SOC CSIRT Help security team to post analyze Investment trends/ dashboards SIM, why ?

6 Multiple collectors Centralized management Reaction processes Multi-layered views SIM principles

7 SIM/SEM state of art Correlation : difficulties Correlation mode and new approaches Algorithms and principles Synopsys

8 Standardization Know the event type Information taxonomy Many editors Huge load of work Logging types SNMP, Syslog Different editor formats Standardize Place data field in different containers Some data may be lost 15;29Aug2005;14:00:59; ;account;accept;;daemon;inbound;tcp; ; ;http;2736;3;0:00:04;29Aug :00:07;18;6400;http://teletekst.nos.nl/cgi-bin/tt/nos/page/m/650; Timestamp : Sensortype : firewall Sensorid : 14 Action : accept Source : Destination : SPort : 2736 DPort : 80 Information :

9 Volumetry Correct visibility != Send everything Useless consumption (network, storage, memory….) Necessity to act early (product config, local agent, collector) Some componants are useless (accept proxy log ) 50 EPS = 1000 EPS E_SNMP_antivirus != E_log_IDS Real time correlation = Sytem calculation Context = memory RAM Database Storage Heavy disk space

10 Correlation and Aggregation Aggregation Anonymisation issue Bad standardization issue Correlation rules IP src : spoofing and anonymization issue Sliding windows…. Hell direction Vulnerability : IDS avoidance Corrélation statistique Prendre son temps

11 Efficient alarm Good and early configuration to obtain an adapted result

12 SIM/SEM state of art Correlation : difficulties Correlation mode and new approaches Algorithms and principles Synopsys

13 Severity Before standardization After standardization Result Alert severitydropfw.reject5/10 Asset weigh Business Zone3/4 Atomic alarm medium severity

14 Rules StatelessStatefull Alarme std IF Adress=A IF TYPE=fw.reject AND TYPE=proxy.accept Atomic alarm medium severity Correlated alarm high severity Context severity+1

15 Context Time analisys Window = Attack time Atomic alarm medium severity Start Atomic alarm minor severity Context improvement Atomic alarm medium severity New context Time Atomic alarm medium severity

16 IP addresses Vulnerability correlation Statistical Scenario Risk Predictable Correlation approaches First steps Real view Mathematical analysis Security analisys Close to business Active tool time

17 Multi hosting supervision Each site may have its own collector and analyzer Centralized SOC Centralized or multiple supervision

18 Statistical correlation EPS Threshold Auto learning Mobile average / variance Never Before seen approch Evolutions Constant issues Hard to define threshold New application, special event….

19 Vulnérability correlation Between a vulnerability scanner and a detection engine Asset identification Risk correlation Manual/auto mode for assets Evolutions Constant issues Internal scanners hard to be accepted Necessary updates

20 Scenario correlation Rule based correlation Complete defined product database Business rules built Compliance rules integrated Predictable mode/ non finite state automate Evolutions Constant issue Standardization Forgotten scenario What if step in scenario defeated

21 Threat visibility IDS (CVE, bugtraq….) Antivirus Vulnérability visibility Vulnerability audit / scanner Asset identication and values Via internal scanner Risk defined as : R=Threat * Vulnerability * Impact Alert severity or even risk assesment can be defined into a product Dynamic risk analysis Product feature Automatic or manual detection mode or Business knowledge

22 Manual SOC/MSSP 24/24 Automatic Threat responses CIDF Risk Mitigation

23 SIM/SEM state of art Correlation : difficulties Correlation mode and new approaches Algorithms and principles Conclusion Synopsys

24 50 % new IDS/IPS solutions use SIM/SEM to deploy Many security composants standardized Combinated correlation modes Nearest with business goals Advanced features All inclusive possibilities Evolutions and trends

25 SIM and Enterprise Goal Events refered as security policy leakage Sécurity information Security alarm Reaction processes Security componants SIM Supervision Technical Organisation Relevance Risk mitigation

26 Special thanks

27 Questions

28 © DEVOTEAM GROUP This document is not to be copied or reproduced in any way without Devoteam express permission. Copies of this document must be accompanied by title, date and this copyright notice. CONTACT Contact Member David Bizeul AUSTRIA BELGIUM CZECH REPUBLIC DENMARK FRANCE MOROCCO MIDDLE EAST NETHERLANDS SPAIN SWITZERLAND UNITED KINGDOM Authors David Bizeul Date of release 20/02/2006 File Info Evolutions SIM


Download ppt "Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP."

Similar presentations


Ads by Google